Mailing List Archive

Strange issue with DMARC
I have configured DMARC for one of the domains I manage, and all the tools
I used for testing gave me the all clear. I then decided to use the REJECT
policy.
Today, I was testing the implementation of DMARC checks on one other
server. I sent a test mail from one domain to another and got a rejection.
Please help me understand what has happened from the log snippet below:

2018-11-29 18:48:00 1gSOXo-0002Yp-Fd PDKIM: d=titan.co.ke s=csl [failed key
import]
2018-11-29 18:48:01 1gSOXo-0002Yp-Fd DMARC results: spf_domain=titan.co.ke
dmarc_domain=titan.co.ke spf_align=no dkim_align=no enforcement='Reject'
2018-11-29 18:48:01 1gSOXo-0002Yp-Fd H=gw.titan.co.ke [197.232.25.162]
I=[41.57.103.122]:25 Warning: DMARC DEBUG: 'reject' for titan.co.ke
2018-11-29 18:48:01 1gSOXo-0002Yp-Fd H=gw.titan.co.ke [197.232.25.162]
I=[41.57.103.122]:25 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<
XXXX@titan.co.ke> rejected after DATA: Message from titan.co.ke failed
sender's DMARC policy, REJECT
2018-11-29 18:48:01 SMTP connection from gw.titan.co.ke [197.232.25.162]
I=[41.57.103.122]:25 closed by QUIT

A test for DMARC for the domain:
root@gw:/etc/exim/opendmarc # /usr/local/sbin/opendmarc-check titan.co.ke
DMARC record for titan.co.ke:
Sample percentage: 100
DKIM alignment: relaxed
SPF alignment: relaxed
Domain policy: reject
Subdomain policy: reject *<======== could this be the issue??*
Aggregate report URIs:
mailto:postmaster@titan.co.ke
Failure report URIs:
mailto:postmaster@titan.co.ke


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Strange issue with DMARC [ In reply to ]
On 30 November 2018 3:10:26 am AEDT, Odhiambo Washington via Exim-users <exim-users@exim.org> wrote:
>I have configured DMARC for one of the domains I manage, and all the
>tools
>I used for testing gave me the all clear. I then decided to use the
>REJECT
>policy.
>Today, I was testing the implementation of DMARC checks on one other
>server. I sent a test mail from one domain to another and got a
>rejection.
>Please help me understand what has happened from the log snippet below:
>
>2018-11-29 18:48:00 1gSOXo-0002Yp-Fd PDKIM: d=titan.co.ke s=csl [failed
>key
>import]

Your issue is here.

>2018-11-29 18:48:01 1gSOXo-0002Yp-Fd DMARC results:
>spf_domain=titan.co.ke
>dmarc_domain=titan.co.ke spf_align=no dkim_align=no
>enforcement='Reject'
>2018-11-29 18:48:01 1gSOXo-0002Yp-Fd H=gw.titan.co.ke [197.232.25.162]
>I=[41.57.103.122]:25 Warning: DMARC DEBUG: 'reject' for titan.co.ke
>2018-11-29 18:48:01 1gSOXo-0002Yp-Fd H=gw.titan.co.ke [197.232.25.162]
>I=[41.57.103.122]:25 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no
>F=<
>XXXX@titan.co.ke> rejected after DATA: Message from titan.co.ke failed
>sender's DMARC policy, REJECT
>2018-11-29 18:48:01 SMTP connection from gw.titan.co.ke
>[197.232.25.162]
>I=[41.57.103.122]:25 closed by QUIT
>
>A test for DMARC for the domain:
>root@gw:/etc/exim/opendmarc # /usr/local/sbin/opendmarc-check
>titan.co.ke
>DMARC record for titan.co.ke:
> Sample percentage: 100
> DKIM alignment: relaxed
> SPF alignment: relaxed
> Domain policy: reject
> Subdomain policy: reject *<======== could this be the issue??*

This means that if a mail from foo.titan.co.ke for example was received it should use a reject policy for email which doesn't have a valid dkim signature or is sent from a host which is permitted in the spf policy.

> Aggregate report URIs:
> mailto:postmaster@titan.co.ke
> Failure report URIs:
> mailto:postmaster@titan.co.ke

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Strange issue with DMARC [ In reply to ]
On 05/12/2018 22:52, Richard James Salts via Exim-users wrote:
>
>
> On 30 November 2018 3:10:26 am AEDT, Odhiambo Washington via Exim-users <exim-users@exim.org> wrote:
>> I have configured DMARC for one of the domains I manage, and all the
>> tools
>> I used for testing gave me the all clear. I then decided to use the
>> REJECT
>> policy.
>> Today, I was testing the implementation of DMARC checks on one other
>> server. I sent a test mail from one domain to another and got a
>> rejection.
>> Please help me understand what has happened from the log snippet below:
>>
>> 2018-11-29 18:48:00 1gSOXo-0002Yp-Fd PDKIM: d=titan.co.ke s=csl [failed
>> key
>> import]
>
> Your issue is here.

Specifically:

the DNS lookup for the DKIM failed
or
the record parsing failed
or
the service-type was not usable
or
we didn't recognise the key type
or
the ssl library didn't like the key


Running with acl debug would tell you which of those.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/